Register to stream ATT&CKcon 2.0 October 29-30


HyperBro is a custom in-memory backdoor used by Threat Group-3390.[1][2][3]

ID: S0398
Platforms: Windows
Version: 1.0

Techniques Used

Domain ID Name Use
Enterprise T1073 DLL Side-Loading HyperBro has used a legitimate application to sideload a DLL to decrypt, decompress, and run a payload. [1]
Enterprise T1106 Execution through API HyperBro has the ability to run an application (CreateProcessW) or script/file (ShellExecuteW) via API. [1]
Enterprise T1107 File Deletion HyperBro has the ability to delete a specified file. [1]
Enterprise T1055 Process Injection HyperBro can run shellcode it injects into a newly created process. [1]
Enterprise T1105 Remote File Copy HyperBro has the ability to download additional files. [1]
Enterprise T1113 Screen Capture HyperBro has the ability to take screenshots. [1]
Enterprise T1035 Service Execution HyperBro has the ability to start and stop a specified service. [1]
Enterprise T1071 Standard Application Layer Protocol HyperBro has used HTTPS for C2 communications. [1]
Enterprise T1007 System Service Discovery HyperBro can list all services and their configurations. [1]

Groups That Use This Software

ID Name References
G0027 Threat Group-3390 [1] [2] [3]